Forwarding OCSP request to a specific responder (or profile)

Question

Hi all.&nbsp;
We have this web service where we need to authenticate users (x509 mutual authentication). So we also need to verify the revocation status of users certificates. All these user certificates are signed by a bundle of cas (so the ocsp responder is not always the same).
We discovered that creating a responder leaving the URL field empty let the bigip to extract AIA field from user certificate and forward the ocsp request to the specific remote responder.
This works well.
But this AIA field is not present in all certificates.
So what we would like to do is to manually forward the request to a specific responder or profile (already configured on the bigip) the moment we detect a certificate where the AIA field is missing (we know this by reading issuer hash the moment user certificate is presented).&nbsp;
Any ideas?  &nbsp;
Thanks&nbsp;

yann_desmarest · Answer

Hi,&nbsp;
I think that the following codeshare provide what you need : &nbsp;
https://devcentral.f5.com/codeshare?sid=462&nbsp;
If you are using APM, it's even easier, you can define an OCSP AAA object, specify an URI and check "Ignore AIA"&nbsp;

Forum Discussion

Forwarding OCSP request to a specific responder (or profile)

1 Reply

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

How to tell nginx to use a forward proxy to reach a specific destination

Change cookie domain in HTTP::respond

Large payload post requests aren't responding

Gzip content when using HTTP::respond

Disabling Specific Weak Cipher Suites